This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9.509-3 - Webpage Timeouts in Chrome after upgrade 9.509-3 in transparent mode

Hi

Since upgrading to 9.509-3 I have been having difficulties with random websites (amazon, scan.co.uk and others)  timing out when using Google chrome. I've inspected the logs and cannot see any issues at all. I've cleared the cookies/cache, re-installed the browser but now exhausted my options. I am in no doubt the problem lies directly with chrome as the websites have no issues in Firefox, Internet Explorer, Edge.

My setup is;

SG-210 in Transparent mode with SSO and STAS configured

When the pages time out, the following is displayed;

This error is completely random and doesn't appear on other UTMs using older firmware. It seems to break for random websites whilst still allowing me to browse others. Everything was working fine up until the upgrade.

Any ideas would be appreciated

Thanks



This thread was automatically locked due to age.
Parents
  • Because it has not been mentioned:

    For completeness, you need to check the Application Control log and Intrusion Protection System logs.   One would expect these to drop consistently, not intermittently, so you will probably find nothing relevant.    When these functions activate, they drop the packet, and the browser will wait before declaring a timeout.   The browser timeout entry can be up to two minutes after the IPS entry.

    The problem is more likely to be here:

    Since the problem only affects Chrome, it is probably related to Chrome's QUIC protocol, which uses UDP 443 to make https run faster.  This is my understanding of the interaction between QUIC and UTM

    • By default, UDP 443 bypasses the web proxies and is handled by firewall rules, where outbound traffic probably has an allow-all rule, so it is allowed.
    • Bob Alfson says that if you configure UDP 443 in the web proxy additional ports list, it can be handled by Transparent Mode Web Proxy.   In the absence of a statement from Sophos that they routinely test to ensure correct QUIC operation through the proxy, I am reluctant to try this, and I favor Standard Mode proxy.
    • QUIC will bypass standard mode proxy


    You have not said which of these configurations is active in your situation.   That detail may be important.

    I recommend blocking UDP 443 at the firewall, which will disable QUIC.   See if the problem goes away, and report back.

  • Hi

     

    Same Problem here!!

    Works with IE not with chrome

  • Hi Bob,

    the problem happens when the browser does the Transparent Mode Active Directory Single Sign On. In IE the URL for SSO looks like http://<firewall name>/auth?=fvrosigfhwohgshg. In Chrome the URL is https:<firewall name>/auth?=fvrosigfhwohgshg. Because the UTM does not listen for SSO-Auth on Https there is a timeout.

    Cheers, Julian

  • That's exactly my problem and unfortunately nothing suggested so far has solved the issue.

    I have also tried to find a log entry which may shed more information but there isn't any at all. I've re-created the problem numerous times on different computers with the log windows open and filtered to the client and nothing is logged. 

     

  • So, did Chrome change, or did UTM change?   

    It sounds like you are saying that UTM changed, and we have another regression in this release.   Has Support confirmed this as a bug?   

  • Not sure what you mean by UTM changed. 

     

    To clarify. I have this issue with one SG-210 appliance only after upgrading to 9.509-3.  I can re-create the problem on multiple computers using the upgraded SG-210. 

     

    I have another UTM which is using an earlier firmware release which i cannot replicate the issue with. Because of this i have not upgraded that UTM to 9.509-3

  • We are facing this problem, too. Transparent proxy with sso (AD, no STAS) causes timeouts when using Firefox. Firefox tries to authenticate using a https:// address. Internet Explorer is working fine on the same workstation.  Did anyone already open a case with Sophos?

  • Hi

    "Our" problem started with the update to 9.508

     

    Tom

  • Based on this discussion, the options are clear.

    Change transparent mode to no authentication, either at the filter profile or using an exception that applies globally.   Offset the effects of this by deploying standard mode wherever possible.

    Or

    Rebuild using th 9.596 media, who h fixes this regression and the others.

  • Please open a ticket with Sophos Support so that they know of this issue.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

     

    The Sophos Support is not active in the Sophos Community?

     

    Tom

Reply Children